Summary
Handling DMARC failures due to email forwarding requires a multi-faceted approach encompassing technical solutions, policy adjustments, and user education. A foundational step is to implement and rigorously maintain SPF, DKIM, and DMARC across all email domains to establish a baseline level of authentication and security. Starting with a DMARC policy of 'p=none' allows for monitoring and analysis of email streams without rejecting legitimate emails, enabling the identification of forwarding patterns and authentication issues. The Authenticated Received Chain (ARC) protocol emerges as a pivotal technology, preserving authentication results across intermediaries and thus validating the original authentication even after forwarding, though it's not a complete solution. Recipient education on proper forwarding techniques, such as forwarding as attachments, and offering alternative communication methods like SMS notifications mitigate authentication failures. Other technical considerations include SPF flattening to avoid exceeding lookup limits, and configuring trusted forwarders in Microsoft 365. Regular audits of email infrastructure, coupled with reviewing DMARC reports, ensure ongoing effectiveness.
Key findings
- SPF, DKIM, DMARC: Implementing and maintaining SPF, DKIM, and DMARC is fundamental for email authentication and security.
- ARC Protocol: ARC helps preserve authentication through forwarding chains, but is not a complete solution in itself.
- Monitoring DMARC: Using 'p=none' DMARC policy initially helps monitor and analyze forwarding issues.
- Recipient Education: Educating users on correct forwarding methods reduces authentication failures.
- Alternative Channels: Using alternative channels like SMS for critical communications bypasses email authentication.
- Regular Audits: Regular infrastructure audits and reviewing DMARC reports ensure continued effectiveness.
Key considerations
- Phased Implementation: Implement DMARC in phases, starting with monitoring, to understand email ecosystem fully.
- Configuration Complexity: Proper configuration of SPF, DKIM, DMARC, and ARC is essential for optimal results.
- SPF Limitations: SPF alone is often insufficient for handling forwarding scenarios; consider complementary mechanisms.
- Proactive Approach: Treat authentication failures as an opportunity to investigate and improve security posture.
- Targeted Outreach: Where possible, undertake targeted outreach to those forwarding email incorrectly.
- Importance of BIMI: BIMI should be used to show your company logo to users
What email marketers say
13 marketer opinions
When handling DMARC failures due to email forwarding, several strategies can be employed. A common starting point is to implement a DMARC policy of 'p=none' to monitor email streams without rejecting emails. Analyzing DMARC reports is crucial to identify forwarding patterns and potential authentication issues. Recipient education is vital, encouraging them to forward emails as attachments or use methods that preserve headers. Alternative communication channels like SMS or web-based alerts can bypass email authentication problems altogether. On the technical side, ARC (Authenticated Received Chain) can help preserve authentication across multiple hops, and DKIM signing ensures email integrity. SPF flattening can prevent SPF record lookup limits. Regular infrastructure audits and a combination of SPF, DKIM, and DMARC are recommended to enhance overall email deliverability.
Key opinions
- Monitoring DMARC: Using a 'p=none' DMARC policy for monitoring helps identify forwarding issues without immediate rejections.
- Recipient Education: Educating recipients on proper forwarding methods (as attachments) reduces authentication failures.
- Alternative Channels: Employing SMS or web alerts bypasses email authentication problems for critical communications.
- ARC Implementation: ARC (Authenticated Received Chain) can preserve authentication results across multiple email hops.
- DKIM Signing: DKIM ensures email integrity and allows recipients to verify authenticity.
- SPF Flattening: SPF flattening prevents exceeding SPF record lookup limits, maintaining validity.
Key considerations
- DMARC Reports: Regularly review DMARC reports to understand forwarding patterns and authentication failures.
- Infrastructure Audits: Conduct regular audits to identify and fix misconfigurations affecting email authentication.
- Combined Authentication: Use a combination of SPF, DKIM, and DMARC for comprehensive email authentication.
- Technical limitations: Outside of p=quarantine, there are few technical solutions.
- Targeted Outreach: If possible, undertake targeted outreach to the biggest offenders, asking them to add you to their safe senders list.
Marketer view
Email marketer from Valimail Blog suggests using a DMARC policy of 'p=none' to monitor email streams without rejecting legitimate emails that fail authentication due to forwarding. Analyze DMARC reports to identify forwarding patterns and adjust configurations or contact frequent forwarders.
23 Jun 2023 - Valimail Blog
Marketer view
Email marketer from Reddit suggests starting with a DMARC policy of 'p=none' and gradually moving to 'p=quarantine' or 'p=reject' as you gain confidence in your email authentication setup. Monitor DMARC reports to identify and address any issues with forwarding or other authentication failures.
12 Jul 2022 - Reddit
What the experts say
3 expert opinions
Experts emphasize the importance of comprehensive email authentication using SPF, DKIM, and DMARC across all email domains to prevent phishing. While ARC (Authenticated Received Chain) helps preserve authentication across forwarding chains, it's not a complete solution and requires careful investigation. Forwarding can also complicate List-Unsubscribe header handling, potentially causing unintended unsubscribes when authentication breaks, requiring careful configuration and an understanding of forwarding scenarios. BIMI (Brand Indicators for Message Identification) should be used to show your company logo.
Key opinions
- Comprehensive Authentication: SPF, DKIM, and DMARC are essential for securing email domains against phishing.
- ARC Limitations: ARC helps preserve authentication, but it's not a complete solution for all forwarding scenarios.
- List-Unsubscribe Complications: Forwarding can break List-Unsubscribe, leading to unintended unsubscribes.
- Importance of BIMI: BIMI should be used to show your company logo to users
Key considerations
- Forwarding Scenarios: Carefully consider how forwarding impacts authentication results and List-Unsubscribe handling.
- Configuration Complexity: Proper configuration is crucial for managing forwarding complexities.
- Investigation of issues: Treating authentication as a reason to investigate issues and using tools like ARC is crucial.
Expert view
Expert from Word to the Wise, Laura Atkins, explains that ARC (Authenticated Received Chain) is helpful but not a complete solution. She suggests that senders using authentication shouldn't see forwarding as a problem, but rather a reason to investigate and consider tools like ARC to help preserve authentication results.
6 Jun 2023 - Word to the Wise
Expert view
Expert from Word to the Wise, Laura Atkins, discusses the complications that forwarding can introduce with List-Unsubscribe headers, potentially causing unintended unsubscribes when forwarding breaks authentication. Proper handling requires careful configuration and understanding of forwarding scenarios.
25 Mar 2023 - Word to the Wise
What the documentation says
4 technical articles
Documentation highlights several approaches to handle DMARC failures due to forwarding. ARC (Authenticated Received Chain) is recommended for preserving authentication across intermediaries, allowing validation of original authentication. DMARC implementation should be phased, starting with a monitoring-only policy ('p=none') before moving to enforcement. SPF records need accurate configuration, including all legitimate sending sources. Microsoft 365 offers trusted forwarder configurations to maintain authentication for forwarded emails.
Key findings
- ARC Protocol: ARC preserves authentication results across forwarding hops, aiding validation.
- Phased DMARC: A phased DMARC rollout, starting with monitoring, helps identify and resolve issues.
- SPF Configuration: Accurate SPF records are necessary but insufficient for handling forwarding alone.
- Trusted Forwarders: Microsoft 365 allows configuration of trusted forwarders to preserve authentication.
Key considerations
- Scope of ARC: Understand the limitations of ARC and when it's most effective.
- Policy Enforcement: Carefully plan DMARC policy enforcement to minimize disruption to legitimate email flow.
- SPF Sufficiency: Recognize that SPF alone might not handle all forwarding scenarios; consider complementary mechanisms.
- Microsoft 365 Configuration: Properly configure trusted forwarders within Microsoft 365 for optimal results.
Technical article
Documentation from DMARC.org advises implementing DMARC in phases, starting with a monitoring-only policy ('p=none') and progressing to enforcement policies ('p=quarantine' or 'p=reject') as you gain visibility into your email ecosystem and resolve any authentication issues.
23 Jun 2021 - DMARC.org
Technical article
Documentation from Microsoft Docs recommends that configuring trusted forwarders in Microsoft 365 can help preserve authentication results for forwarded emails. This involves setting up specific rules and policies to recognize and trust legitimate forwarding sources.
15 Feb 2025 - Microsoft Docs
How can I troubleshoot DMARC failures and identify the cause of authentication issues?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do DMARC, spam complaints, and IP reputation affect email deliverability and rejections?
How do email forwarding and DMARC policies affect email delivery and reporting?
How do Google Groups impact DMARC when forwarding emails from multiple domains?
How does ARC impact email deliverability for DMARC-enforced domains, and what are the best practices for marketers?
